Tuesday, 20 August 2019 06:54 GMT
img

Equifax - Part 2: Just Another Data Breach? Or C-Suite Criminal Negligence?




(MENAFN - ValueWalk) Equifax: The Hazards of Dragnet Surveillance Capitalism - Part 2: Just Another Data Breach? Or C-Suite Criminal Negligence?

Get The Timeless Reading eBook in PDF Get the entire 10-part series on Timeless Reading in PDF. Save it to your desktop, read it on your tablet, or email to your colleagues.

Abstract

The reckless handling of data collected in capitalistic dragnet surveillance has developed into a national security and privacy epidemic. The Equifax breach, in which attackers exfiltrated the credit records of 143 million Americans, is an inexcusable travesty that resulted from systemic negligence and the irresponsible actions of senior executives. The company and its C-suite executives should not be permitted to simply cash in their insurance or pensions and then move on, while 44 percent of the nation has to change microscopic aspects of their daily lives to remain vigilant against lurking adversaries, despite never authorizing Equifax to collect, retain, or exchange their data. Rather than passing the brunt of the impact onto consumers, Equifax and its executives must be held accountable for their failure to secure consumer data according to its value, so that other data brokers and the American public understand that organizational actions that jeopardize the security and privacy of the public and the nation will not be allowed to continue without consequence.

Introduction

Few things are certain in the emerging cyber-kinetic-meta-war; however, one absolute is that capitalistic dragnet surveillance, formerly a privacy issue, has metastasized into a national security epidemic. The breach of Equifax, one of the largest data brokers, resulted in the loss of credit record portfolios of 143 million Americans, nearly 44 percent of the population. Equifax botched even fundamental incident response procedures repeatedly. Instead of focusing on mitigating the potential harm to consumers and businesses, Equifax executives spent nearly six weeks conspiring machinations to lobby for the removal of consumer protections, to profit from victims through 'free' credit monitoring and identity theft services, and to trick average Americans into relinquishing their rights to pursue legal action against Equifax. Equifax and its executives should be held accountable for their failure to safeguard consumer data according to its value.

Given the nearly infinite capabilities of artificial intelligence and machine learning, malicious threat actors will be able to leverage the stolen Equifax credit records and metadata exfiltrated from other sources in potent multivector cyber-kinetic-meta-warfare attacks against critical infrastructure personnel and average consumers for years or decades. The realistic best-case scenario is an onslaught of identity theft, credit profile manipulation, rampant tax fraud and health sector fraud. More likely though, sophisticated adversaries will utilize the information to psychographically target vulnerable critical infrastructure executives and congressional employees with elevated privileges psychographically in precision-tailored social engineering campaigns that deliver malware or ransomware onto sensitive systems or that result in the exfiltration of intellectual property or classified intelligence.

In regard to the Equifax breach, ICIT has received more briefing requests from Congress, federal agencies, and domestic and international law enforcement than it has on multiple other recent major topics combined, including election hacking, Russian attempts to undermine democratic institutions, the OPM breach and the Anthem breach. Approximately 44 percent of the United States population had their credit records compromised, and victims are experiencing panic and fear as they begin to comprehend how potent tailored psychographic attacks can be when adversaries leverage the stolen Equifax files. Data brokers must understand that willful ignorance of cybersecurity and cyber-hygiene cannot be allowed to continue. Consumers' data are more than just commodities. Each loss impacts lives directly. Through its calamitous failures, Equifax has distinguished itself as the prime example.

Equifax should live on only in infamy, just as Enron remains an example of dishonest business practices. Equifax should epitomize the consequences of negligent data brokerage. Equifax systems can no longer be trusted. The integrity of the data in its possession has been compromised. The information cannot be regarded as authentic because adversaries could have altered, removed, or added details without Equifax's knowledge. Its 'Frankensteined' architectonic labyrinth of an IoT microcosm is prototypical of the vulnerable networks, managed by unqualified information security personnel, that support every major data broker.

The Equifax Breach Was an Inexcusable Travesty

The Equifax breach is more substantial than previous disastrous incidents at Target, Home Depot, Yahoo, and other companies, because the consumer data housed within Equifax systems are more substantial than just credit card information. Consumers can cancel a compromised credit card [1]. Equifax is a data broker. Its product is aggregated consumer information collected from third parties and dragnet surveillance initiatives. The exposed data included consumers' Social Security numbers, birth dates, full names, driver's license information, purchasing habits, frequented businesses, and other extremely personal information [1] [2]. Equifax and third parties leveraged the aggregate data in complex psychographic and demographic big data algorithms to predict microscopic and macroscopic aspects of individual consumers and entire groups to assess the credit value of individual consumers and inform decisions about whether they were responsible enough to receive credit, borrow money, or take out mortgages. [2]. Now, the attacker(s) can also make predictions and assessments of consumers' lives, in addition to compromising financial accounts and stealing identities. By necessity of its function, the data sets had to be robust enough to approximate an individual's life. Now the lives of 143 million Americans are in the hands of an unknown malicious threat actor. At any time in the next few days to the next few decades, that adversary could sell or disclose the data publicly and inflict severe short-term and long-term harm on approximately 44 percent of the United States population [2].

Background

On July 29, 2017, Equifax discovered that for at least two months, a remote adversary had exploited an unpatched Apache Struts vulnerability (CVE-2017-5638) and exfiltrated the sensitive extensive credit record information of 143 million Americans. The credit card information of 209,000 consumers was also exposed. Definitive details of the attack are still emerging, but some postulate that the attackers may have discovered vulnerable Equifax servers via Shodan or that they may have piggybacked off of affiliated banking networks and compromised Equifax's system laterally [2] [3]. A patch for CVE-2017-5638 was made available publicly on March 7, 2017, at least two months before the breach; however, negligent system administrators within Equifax failed to apply the patch to the vulnerable systems.

The breach was not disclosed to the public until September 7, 2017. Equifax claims that it spent the intervening time working with a cybersecurity consultant and authorities; however, in that time, Equifax amended its terms and conditions to reduce legal liability, lobbied against victim breach protections, and planned initiatives that exploited victims of the breach further or forced them to sign away their ability to litigate. Overwhelming public outcry has since compelled Equifax to retract its claim over victim arbitration rights and offer free credit monitoring and credit freezes for a year. It should be noted that the risk to victims will likely last decades. The offered TrustedID credit monitoring service auto-renews for a fee after the first year. Equifax will thereby profit from its victims in the future.

Equifax relied on a haphazardly designed website for its breach response. The site proved unable to report accurately whether consumers were victims of the breach [4]. Some users reported that the site accepts fake information or gives differing results for the same input. Its name, equifaxsecurity2017.com, resembled the naming schema of phishing sites. The site was initially blocked by some


Equifax - Part 2: Just Another Data Breach? Or C-Suite Criminal Negligence?

Authors_Square_PromoteArticle_Ink2019

  Most popular stories  

Day | Week | Month